I need help to write a query all sources to a golan sink

[obounaim]

Hi,

I am trying to learn a bit how to use CodeQL, I wrote the query bellow to try to list all sources to a golang sink exec.CommandContext. However, why I try to run it, I get an error and the query just fails.

/**
 * @id go-command-context-data-flow
 * @name Find data flow to exec.CommandContext 
 * @description Find data flow to exec.CommandContext 
 * @kind path-problem
 * @tags data-flow
 * @imports semmle.go.dataflow.TaintTracking
 */

import go
import semmle.go.dataflow.TaintTracking
import semmle.go.dataflow
 
class AllToAllConfiguration extends TaintTracking::Configuration {
   AllToAllConfiguration() { this = "AllToAllConfiguration" }
 
   override predicate isSource(DataFlow::Node source) {
     exists(Param p |
       source.asExpr() = p
     )
   }
 
   override predicate isSink(DataFlow::Node sink) {
    exists(Call call |
      call.getTarget().hasQualifiedName("exec", "CommandContext") and
      sink.asExpr() = call.getArgument(0)
    )
   }
}
 
from AllToAllConfiguration config, TaintTracking::PathNode sourceNode, TaintTracking::PathNode sinkNode
where config.hasFlowPath(sourceNode, sinkNode)
select sinkNode,
  "Data flows from " 
  + sourceNode.getNode().toString() 
  + " (param) to "
  + sinkNode.getNode().toString() 
  + " (call argument)."

Could you please help, find whats wrong with it ?

Thanks in advance.

[Sim4n6]

What is the errors message ?

[redsun82]

is it this?

Compiling query plan for /workspaces/semmle-code/ql/go/ql/src/foo.ql.
Oops! A fatal internal error occurred. Details:
java.lang.NullPointerException: Cannot invoke "com.semmle.frontend.binding.Binding.getEntity()" because "binding" is null
        at com.semmle.frontend.analysis.binding2.QLBindingContext2.isString(QLBindingContext2.java:783)
        at com.semmle.frontend.analysis.QLReferenceGraphBuilder.visit(QLReferenceGraphBuilder.java:440)
        at com.semmle.frontend.analysis.QLReferenceGraphBuilder.visit(QLReferenceGraphBuilder.java:93)
        at com.semmle.frontend.ast.BinaryOperationExpression.accept(BinaryOperationExpression.java:41)
        at com.semmle.frontend.ast.visit.DefaultTermExprVisitor.visitExpression(DefaultTermExprVisitor.java:189)
        at com.semmle.frontend.analysis.QLReferenceGraphBuilder.visitExpression(QLReferenceGraphBuilder.java:428)
        at java.base/java.util.ArrayList.forEach(Unknown Source)
        at com.semmle.frontend.ast.visit.DefaultVisitor.visit(DefaultVisitor.java:109)
        at com.semmle.frontend.analysis.QLReferenceGraphBuilder.visit(QLReferenceGraphBuilder.java:521)
        at java.base/java.util.ArrayList.forEach(Unknown Source)
        at com.semmle.frontend.ast.visit.DefaultVisitor.visit(DefaultVisitor.java:58)
        at com.semmle.frontend.analysis.QLReferenceGraphBuilder.visit(QLReferenceGraphBuilder.java:471)
        at com.semmle.frontend.analysis.QLReferenceGraphBuilder.getDependencyGraph(QLReferenceGraphBuilder.java:191)
        at com.semmle.frontend.analysis.QLStratificationReporter.checkStratification(QLStratificationReporter.java:30)
        at com.semmle.frontend.compiler.QLCompileTarget.createPipeline(QLCompileTarget.java:107)
        at com.semmle.frontend.compiler.QLCompileTarget.createPipeline(QLCompileTarget.java:76)
        at com.semmle.frontend.compiler.QLCompileTarget.compile(QLCompileTarget.java:58)
        at com.semmle.cli2.ql.CompilationCommon$OneCompilation.lambda$compileInner$0(CompilationCommon.java:354)
        at com.semmle.cli2.ql.CompilationCommon$OneCompilation.compileInner(CompilationCommon.java:437)
        at com.semmle.cli2.ql.CompilationCommon$OneCompilation.compile(CompilationCommon.java:273)
        at com.semmle.cli2.ql.CompilationCommon.compile(CompilationCommon.java:241)
        at com.semmle.cli2.ql.CompilationCommon.compile(CompilationCommon.java:233)
        at com.semmle.cli2.ql.CompileCommand.lambda$executeSubcommand$0(CompileCommand.java:330)
        at com.semmle.util.concurrent.Paralleliser$1.lambda$next$0(Paralleliser.java:66)
        at com.semmle.util.concurrent.FutureUtils.supplyCompose(FutureUtils.java:248)
        at com.semmle.util.concurrent.Paralleliser.lambda$startMoreJobs$3(Paralleliser.java:109)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.base/java.lang.Thread.run(Unknown Source)

As far as I can tell, this is a genuine CodeQL CLI bug, which is hiding reporting proper and actionable errors from your code. I will report this to my colleagues, sorry for the inconvenience!

As far as your query goes, it seems the Go documentation was not updated and doesn't give much help for using the new data flow API that we have been rolling out to many languages. You can draw inspiration from guides for other languages, like the javascript one. You can also draw inspiration from existing Go queries like this one.

After fiddling around and fighting a bit against the above CLI crash, I could get this to compile fine, which should be a good starting point for you.

import go
import semmle.go.dataflow.TaintTracking
import semmle.go.dataflow.DataFlow

module AllToAllConfiguration implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
      source instanceof DataFlow::ParameterNode
   }

   predicate isSink(DataFlow::Node sink) {
    exists(DataFlow::CallNode call |
      call.getTarget().hasQualifiedName("exec", "CommandContext") and
      sink = call.getArgument(0)
    )
   }
}

module MyFlow = TaintTracking::Global<AllToAllConfiguration>;

from MyFlow::PathNode sourceNode, MyFlow::PathNode sinkNode
where MyFlow::flowPath(sourceNode, sinkNode)
select sinkNode,
  "Data flows from "
  + sourceNode.getNode().toString()
  + " (param) to "
  + sinkNode.getNode().toString()
  + " (call argument)."

[redsun82]

seems like the thing bringing up the compilation crash is using + on undefined entities (in your case it was for example sourceNode.getNode().toString(), as TaintTracking::PathNode does not exist). The same crash can be reproduced with this minimal example:

from Undefined x
select x + x

[redsun82]

FYI, this problem was introduced in version 2.20.1 and we're working on having it resolved for 2.20.2 (which should be available around January the 24th). In the meantime, if the crash is too annoying for your QL development, you can downgrade to 2.20.0.